After doing the AWAE course, I felt like I needed to do more practice. There are other materials such as the HTB boxes similar to OSWE. I am just adding to the collection.
Recently, there was a vulnerability reported in Zentao Pro 8.8.2 that can result in remote command execution.
This blog will just guide you through how to set up the lab and it will have some tips for you to get you going. I would rank this vulnerability as EASY.
Lab Set Up:
- Create a Windows VM
- Download and install Zentao Pro 8.8.2
- Install git ( you will need this to go through one of the use cases).
- Install a text editor of your choice, this will help you go through the files.
- Log in with admin:123456 and change the password so its ready.
- Set up the attacker VM and lab VM on a host only/internal network and make sure they can connect.
After this, you’re ready to go.
Master List / Questions to ask to get you going:
- What is the purpose of the application.
- What features are there.
- Go through the different use cases for the application.
- What sensitive functions are there related to the technologies used.
- If you’re really stuck, you can go through the exploit on exploitdb to guide you.
The next blog will describe the process / decision making I used for finding the vulnerability.